spomky-labs / jose
JSON Object Signing and Encryption library for PHP.
Requires
- php: ^7.0
- lib-openssl: *
- beberlei/assert: ^2.4
- fgrosse/phpasn1: ^2.0
- mdanter/ecc: 0.5.*
- psr/cache: ^1.0
- spomky-labs/aes-key-wrap: ^3.0|^4.0
- spomky-labs/base64url: ^1.0
- spomky-labs/php-aes-gcm: ^1.2
- symfony/polyfill-mbstring: ^1.1
Requires (Dev)
- phpunit/phpunit: ^6.0
- satooshi/php-coveralls: ^2.0
- symfony/cache: ^2.0|^3.0|^4.0
Suggests
- ext-crypto: Highly recommended when you use AES GCM based algorithms.
- ext-curve25519: For EdDSA with X25519 curves support.
- ext-ed25519: For EdDSA with Ed25519 curves support.
- dev-master / 7.1.x-dev
- v7.1.0
- v7.0.1
- v7.0.0
- v6.1.x-dev
- v6.1.7
- v6.1.6
- v6.1.5
- v6.1.4
- v6.1.3
- v6.1.2
- v6.1.1
- v6.1.0
- v6.0.0
- v5.2.0
- v5.1.1
- v5.0.6
- v5.0.5
- v5.0.4
- v5.0.3
- v5.0.2
- v5.0.1
- v5.0.0
- v5.0.0-alpha2
- v5.0.0-alpha1
- v4.0.3
- v4.0.2
- v4.0.1
- v4.0.0
- v3.0.1
- v3.0.0
- v3.0.0-beta4
- v3.0.0-beta3
- v3.0.0-beta2
- v3.0.0-beta1
- v3.0.0-alpha11
- v3.0.0-alpha10
- v3.0.0-alpha9
- v3.0.0-alpha8
- v3.0.0-alpha7
- v3.0.0-alpha6
- v3.0.0-alpha5
- v3.0.0-alpha4
- v3.0.0-alpha3
- v3.0.0-alpha2
- v3.0.0-alpha1
- v2.0.0-beta1
- v2.0.0-alpha2
- v2.0.0-alpha1
- v1.0.0-beta1
- v1.0.0-alpha11
- v1.0.0-alpha4
- v1.0.0-alpha3
- v1.0.0-alpha2
- v1.0.0-alpha1
- v0.4.6
- v0.4.5
- v0.4.4
- v0.4.3
- v0.4.2
- v0.4.1
- v0.4.0
- v0.3.0
- v0.2.1
- v0.2.0
- v0.1.2
- v0.1.1
- v0.1.0
- v0.0.14
- v0.0.13
- v0.0.12
- v0.0.11
- v0.0.10
- v0.0.9
- v0.0.8
- v0.0.7
- v0.0.6
- v0.0.5
- v0.0.4
- v0.0.3
- v0.0.2
- v0.0.1
- dev-guardrails/initial
This package is auto-updated.
Last update: 2019-08-23 18:32:11 UTC
README
If you really love that library, then you can help me out for a couple of 🍻!
⚠️⚠️⚠️
We highly recommend you to use the new JWT Framework project instead of this library.
- Active support of this library is provided until end of 2018.
- Security support will be provided from 2019 and up to end of 2020.
A migration guide will be/is available in the documentation of the new project.
⚠️⚠️⚠️
This library provides an implementation of:
- JWS JSON Web Signature (RFC 7515),
- JWT JSON Web Token (RFC 7519),
- JWE JSON Web Encryption (RFC 7516),
- JWA JSON Web Algorithms (RFC 7518).
- JWK JSON Web Key (RFC 7517).
- JSON Web Key Thumbprint (RFC 7638).
- Unencoded Payload Option RFC7797.
Provided Features
Supported Input Types:
JWS or JWE objects support every input that can be encoded into JSON:
string,array,integer,float...- Objects that implement the
\JsonSerializableinterface such asJWKInterfaceorJWKSetInterface
The detached content is also supported.
Unencoded payload is supported. This means you can sign and verify payload without base64 encoding operation.
As per the RFC7797, the b64 header MUST be protected.
When b64 header is set, the crit protected header with value b64 in its array of values is mandatory.
Supported Serialization Modes
- Compact JSON Serialization Syntax (JWS/JWE creation and loading)
- Flattened JSON Serialization Syntax (JWS/JWE creation and loading)
- General JSON Serialization Syntax (JWS/JWE creation and loading)
Supported Compression Methods
| Compression Method | Supported | Comment |
|---|---|---|
Deflate (DEF) |
YES | |
GZip (GZ) |
YES | This compression method is not described in the specification |
ZLib (ZLIB) |
YES | This compression method is not described in the specification |
Supported Key Types (JWK)
| Key Type | Supported | Comment |
|---|---|---|
none |
YES | None keys are for the none algorithm only |
oct |
YES | Symmetric keys |
RSA |
YES | RSA based asymmetric keys |
EC |
YES | Elliptic Curves based asymmetric keys |
OKP |
YES | Octet Key Pair based asymmetric keys |
JWK objects support JSON Web Key Thumbprint (RFC 7638).
Key Sets (JWKSet)
JWKSet is fully supported.
Supported Signature Algorithms
| Signature Algorithm | Supported | Comment |
|---|---|---|
HS256, HS384 and HS512 |
YES | |
HS256, ES384 and ES512 |
YES | |
RS256, RS384 and RS512 |
YES | |
PS256, PS384 and PS512 |
YES | |
none |
YES | Please note that this is not a secured algorithm. USE IT WITH CAUTION! |
EdDSA with Ed25519 curve |
YES | Third party extension required |
EdDSA with Ed448 curve |
NO |
Please note that the EdDSA signature algorithm specification
is not not yet approved. Support for algorithms Ed25518 and Ed448 may change. Use with caution.
Supported Key Encryption Algorithms
| Key Encryption Algorithm | Supported | Comment |
|---|---|---|
dir |
YES | |
RSA1_5, RSA-OAEP and RSA-OAEP-256 |
YES | |
ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW |
YES | |
A128KW, A128KW and A128KW |
YES | |
PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW |
YES | |
A128GCMKW, A192GCMKW and A256GCMKW |
YES | For better performance, please use PHP 7.1+ or this third party extension |
EdDSA with X25519 curve |
YES | Third party extension required |
EdDSA with X448 curve |
NO |
Please note that the EdDSA encryption algorithm specification
is not not yet approved. Support for algorithms X25518 and X448 may change. Use with caution.
Supported Content Encryption Algorithms
| Content Encryption Algorithm | Supported | Comment |
|---|---|---|
A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512 |
YES | |
A128GCM, A192GCM and A256GCM |
YES | For better performance, please use PHP 7.1+ or this third party extension |
The Release Process
The release process is described here.
Prerequisites
This library needs at least:
,
- OpenSSL extension.
Please consider the following optional requirements:
- For AES-GCM based algorithms (
AxxxGCMandAxxxGCMKW) if not on PHP 7.1+: PHP Crypto Extension (at leastv0.2.1) is highly recommended as encryption/decryption is faster than the pure PHP implementation. - For Ed25519 algorithm: php-ed25519-ext required
- For X25519 algorithm: php-curve25519-ext required
Please read performance test results below concerning the ECC based algorithms. As the time needed to perform operation is long compared to the other algorithms, we do not recommend their use.
Continuous Integration
It has been successfully tested using PHP 7.0, PHP 7.1 and PHP7.2 with all algorithms.
If you use PHP 5.6, please install the version ^6.0 of this project.
Tests vectors from the RFC 7520 are fully implemented and all tests pass.
We also track bugs and code quality using Scrutinizer-CI and Sensio Insight.
Coding Standards are verified by StyleCI.
Code coverage is analyzed by Coveralls.io.
Installation
The preferred way to install this library is to rely on Composer:
composer require spomky-labs/jose
How to use
Have a look at How to use to know how to load your JWT and discover all possibilities provided by this library.
Performances
Please read the performance page to know how fast are the algorithms supported by this library.
Contributing
Requests for new features, bug fixed and all other ideas to make this library useful are welcome. If you feel comfortable writting code, you could try to fix opened issues where help is wanted or those that are easy to fix.
Do not forget to follow these best practices.
Licence
This software is release under MIT licence.